mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-24 13:14:07 -08:00
Fixes XSS vulnerabilities (#6831)
* Properly escape log_meta values * Vue syntax fix to allow npm run dev to work again * Janky fix for Select2 bug * Compiled production assets * Escape user’s last name in API * Removed duplicate alertClass * Compiled production assets
This commit is contained in:
parent
dec77890bd
commit
dee92cfc6c
|
@ -26,6 +26,18 @@ class ActionlogsTransformer
|
|||
if ($actionlog->filename!='') {
|
||||
$icon = e(\App\Helpers\Helper::filetype_icon($actionlog->filename));
|
||||
}
|
||||
|
||||
// This is necessary since we can't escape special characters within a JSON object
|
||||
if (($actionlog->log_meta) && ($actionlog->log_meta!='')) {
|
||||
$meta_array = json_decode($actionlog->log_meta);
|
||||
foreach ($meta_array as $key => $value) {
|
||||
foreach ($value as $meta_key => $meta_value) {
|
||||
$clean_meta[$key][$meta_key] = e($meta_value);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$array = [
|
||||
'id' => (int) $actionlog->id,
|
||||
'icon' => $icon,
|
||||
|
@ -64,7 +76,7 @@ class ActionlogsTransformer
|
|||
|
||||
'note' => ($actionlog->note) ? e($actionlog->note): null,
|
||||
'signature_file' => ($actionlog->accept_signature) ? route('log.signature.view', ['filename' => $actionlog->accept_signature ]) : null,
|
||||
'log_meta' => ($actionlog->log_meta) ? json_decode($actionlog->log_meta): null,
|
||||
'log_meta' => ((isset($clean_meta)) && (is_array($clean_meta))) ? $clean_meta: null,
|
||||
|
||||
|
||||
];
|
||||
|
|
|
@ -24,7 +24,7 @@ class UsersTransformer
|
|||
$array = [
|
||||
'id' => (int) $user->id,
|
||||
'avatar' => e($user->present()->gravatar),
|
||||
'name' => e($user->first_name).' '.($user->last_name),
|
||||
'name' => e($user->first_name).' '.e($user->last_name),
|
||||
'first_name' => e($user->first_name),
|
||||
'last_name' => e($user->last_name),
|
||||
'username' => e($user->username),
|
||||
|
|
Binary file not shown.
BIN
public/css/dist/all.css
vendored
BIN
public/css/dist/all.css
vendored
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
public/js/dist/all.js
vendored
BIN
public/js/dist/all.js
vendored
Binary file not shown.
|
@ -1,14 +1,14 @@
|
|||
{
|
||||
"/js/build/vue.js": "/js/build/vue.js?id=af0a53aa1b89d0e19039",
|
||||
"/js/build/vue.js": "/js/build/vue.js?id=96f90510b797ac27a94b",
|
||||
"/css/AdminLTE.css": "/css/AdminLTE.css?id=5e72463a66acbcc740d5",
|
||||
"/css/app.css": "/css/app.css?id=407edb63cc6b6dc62405",
|
||||
"/css/overrides.css": "/css/overrides.css?id=2d81c3704393bac77011",
|
||||
"/js/build/vue.js.map": "/js/build/vue.js.map?id=79fce5e6515d8a4cc760",
|
||||
"/js/build/vue.js.map": "/js/build/vue.js.map?id=423f16f63b86abd6b196",
|
||||
"/css/AdminLTE.css.map": "/css/AdminLTE.css.map?id=0be7790b84909dca6a0a",
|
||||
"/css/app.css.map": "/css/app.css.map?id=96b5c985e860716e6a16",
|
||||
"/css/overrides.css.map": "/css/overrides.css.map?id=f7ce9ca49027594ac402",
|
||||
"/css/dist/all.css": "/css/dist/all.css?id=98db4e9b7650453c8b00",
|
||||
"/js/dist/all.js": "/js/dist/all.js?id=a3a656ed6316d4c4efe7",
|
||||
"/js/dist/all.js": "/js/dist/all.js?id=114f1025a1b3e8975476",
|
||||
"/css/build/all.css": "/css/build/all.css?id=98db4e9b7650453c8b00",
|
||||
"/js/build/all.js": "/js/build/all.js?id=a3a656ed6316d4c4efe7"
|
||||
}
|
||||
"/js/build/all.js": "/js/build/all.js?id=114f1025a1b3e8975476"
|
||||
}
|
||||
|
|
|
@ -40,9 +40,8 @@ tr {
|
|||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="alert col-md-12"
|
||||
<div class="alert col-md-12" style="text-align:left"
|
||||
:class="alertClass"
|
||||
style="text-align:left"
|
||||
v-if="statusText">
|
||||
{{ this.statusText }}
|
||||
</div>
|
||||
|
@ -84,7 +83,6 @@ tr {
|
|||
|
||||
<div class="alert col-md-12" style="padding-top: 20px;"
|
||||
:class="alertClass"
|
||||
style="text-align:left"
|
||||
v-if="statusText">
|
||||
{{ this.statusText }}
|
||||
</div>
|
||||
|
|
|
@ -260,7 +260,18 @@ $(document).ready(function () {
|
|||
}
|
||||
|
||||
function formatDataSelection (datalist) {
|
||||
return datalist.text;
|
||||
// This a heinous workaround for a known bug in Select2.
|
||||
// Without this, the rich selectlists are vulnerable to XSS.
|
||||
// Many thanks to @uberbrady for this fix. It ain't pretty,
|
||||
// but it resolves the issue until Select2 addresses it on their end.
|
||||
//
|
||||
// Bug was reported in 2016 :{
|
||||
// https://github.com/select2/select2/issues/4587
|
||||
|
||||
return datalist.text.replace(/>/g, '>')
|
||||
.replace(/</g, '<')
|
||||
.replace(/"/g, '"')
|
||||
.replace(/'/g, ''');
|
||||
}
|
||||
|
||||
// This handles the radio button selectors for the checkout-to-foo options
|
||||
|
|
Loading…
Reference in a new issue